Charles Ahart

Signed up for Pulse 2010 yet?

2010-01-12T09:25:00.002-05:00

Granted the recession of late has curtailed spending all around, but for many IT departments there are still a number of high priority projects especially in security. If you are already an IBM shop, the Pulse conference is a great way to get a deeper look into the products and solutions that you are considering for the new year. You will spend the time and money doing this research anyhow. Why not come out to Vegas for a look under the hood?

Pulse represents a pretty large swath of products. Unlike Lotusphere which focuses Lotus and Portal, the Pulse conference covers all things Tivoli. There are over 300 products in the Tivoli brand so this conference is a bit different than Lotusphere. If you are into Asset Management or Performance and Monitoring, there are specific tracks for you. If you are interested in Security, there is a whole other track for you as well. Within each area, there are a number of presentations from customers demonstrating recent deployments where you will get the real scoop on what their projects were like, the good and the bad. This alone is worth the visit if you are planning a project with Tivoli software this year. Also, you can stop in the hands on labs and actually work directly with the software so that you can get a feel for how the product really works. The labs are staffed by the IBM education team and there are some really sharp people there who can work through the labs with you.

Pulse also has areas setup where you can "ask the experts" just about anything. These are basically casual "sit down and chat" spaces where you can be face to face with folks from the product development teams and ask questions. Nothing is too complicated that you cannot get an answer at Pulse.

Business Partners and 3rd party vendors setup shop in the showcase floor to show you how they implement the IBM solutions. You may get some really good ideas from these folks how best to leverage the IBM solutions as well as find help getting started with an implementation.

The technical sessions are a great way to get a look at some of the other products and solutions you may not have thought about before. There is something here for everyone from c-level folks right down to the hands on IT person so I recommend you come on out and see for yourself. It's well worth the expense.

BTW, the recreation is not all bad either. While I do not enjoy gambling, being in Vegas is a spectacle. The Pulse Palooza isn't a bad time either. Free beer!

Register for Pulse 2010 --> http://www-01.ibm.com/software/tivoli/pulse/

Get a look at what's going on at Pulse 2010 --> https://www-950.ibm.com/communities/service/html/communityview?communityUuid=dd8bf011-85af-48da-a4dd-21047a08c33e

TAM ESSO v8.1 - Are you ready for WebSphere?

2010-01-08T22:51:00.004-05:00

Installing a standalone TAM ESSO IMS Server took about 2 hours to install including the database. That was version 8.0. IBM released version 8.1 this past December and I spent this week going through the upgrade process to see what will be in store for folks who want to jump right into the new stuff. It didn't take the whole week to do this upgrade, however I had to take it slow so that I could capture documentation for future reference.

The big news is that TAM ESSO v8.1 requires IBM WebSphere Application Server. When I first saw this I thought "ugggh". But the reality is that you had to know this was coming and it makes sense to run IBM's single sign on solution on their own application server.

This changes a lot though. First off, deployments will take a little longer. The fact is, even with the wizard installation tools, WAS is still a big pile of software to install. You also need IBM HTTP Server. Both need to be patched once you install them and you can't even patch the software until you download the patch installer first (IBM UpdateInstaller). But Windows shops should be used to that anyhow as you need install Microsoft's update software in order to get Windows updates.

First, is the upgrade worth it? Of course. If you want the best support for your software keep on the latest and greatest. Everyone has heard the same thing on a typical tech support phone call where the support guy asks,"What version of software are you running?" and you say, "1.2". No doubt the support guy will suggest you try the latest version. Sometimes it really comes down to which version has the fewest warts? Because you know that the latest version of software will have something wrong with it, but you hope the latest has fewer warts than the older version and lets face it, which version is getting the most attention?

The new version of TAM ESSO does not look any different than the prior release as far as the end user is concerned. But when you think about it, if TAM ESSO is doing it's job, the user does not even know it is there. All the user knows is that they login to Windows, launch their applications and they are magically signed in. Not much to see there. But, for the implementer or tech support team there is plenty to be happy about in the new release.

1.) IBM has opened up the doors to more 2 factor devices. Generic smart card support – this will leverage 3rd party products for smart card life cycle management and leverage windows smart card authentication for certificate authentication. Also Serial ID Service Provider Interface (SPI) has been introduced to allow any vendor with a serial ID device to integrate with TAM ESSO. BIO-Key support has been added which will also widen the choices of 2-factor devices supported.

2.) Wider platform coverage. Windows 7 is coming and shops already starting to buy machines with Windows 7 want to be sure AccessAgent will work. While IBM does not list Windows 7 specifically in the compatibility list, Kiosk support has been added for Vista and 64-bit Windows is supported for AccessAgent although there may be some issues with certain 3rd party strong authentication devices. Word on the street is that Windows 7 will show up on the list when it is Microsoft certified.

3.) New features in AccessStudio should make profiling a little easier. The undo button is a nice option we take for granted in Word documents. I like it in AccessStudio very much. Another really nice feature that was added is the ability to take an existing trigger and convert it to a different type. To me that's a welcome new enhancement. The ability to save your profile as an image was there in version 8.0.1, but it's listed as a new feature for 8.1. I like it nonetheless so thanks IBM. Enhanced logging messages are also a big help. Any time they make improvements to this area, I'll welcome it.

4.) Firefox finally! I knew a lot of people that were really turned off by the lack of support for Firefox. At first I was a little the same way, but I got used to using both IE and Firefox anyhow for reasons that have nothing to do with SSO. I look forward to working with Firefox in profiling.

Well, I'm off to another SSO project. Stay tuned for more on this later.

Subject Alternative Name with GSKit

2009-12-31T14:14:00.003-05:00

Subject Alternative Name's (SANs) allow you to obtain a single SSL certificate to protect multiple hosts. So lets say you have two LDAP servers (server1 and server2) and you want to enable SSL, but you want to have clients reference only one DNS name (ldapserver) to connect to any of the LDAP servers. Likely you will have a load balancer of some kind in front of the LDAP. One way to do the Certificate Signing Request (CSR) is to specify "ldapserver" in the host name field and then specify "server1" as the SAN. The problem is IKeyMan doesn't have a way of including a SAN in the CSR.

This is not a problem for a couple of reasons. For one, you can use the command line tools with GSKit to create a CSR containing a SAN. While the GUI lacks this capability it seems the command line supports it:

gsk7cmd -cert -create -db /keys/tds.kdb -pw password -label junk -dn "cn=tds1,o=bigco,c=us" -san_dnsname tdswin1,tdssrv1 -expire 3653

The other option is to create the CSR using IKeyMan without the SAN. When you post the CSR certificate into the web form at Verisign or whatever other CA you choose, you should be able to use the CA form to specify the SAN. This way the signed version of the certificate you receive back from the CA will contain the SAN. IkeyMan supports receiving the signed certificate back into the key database with the SAN included so this will work fine. In fact this is the easiest way to do this. For your LDAP servers it is best to create the Key database using IKeyMan and issue the CSR from there. That way you can do the Receive Certificate operation later when you receive the signed certificate back from the CA.

Cheers!

TDS Web Admin Tool - Superuser

2009-12-22T08:08:00.000-05:00

Be careful changing the credentials for this. When you login to the TDS Web Admin Tool and attempt to change either the user name or password for the superuser (default superadmin) I have seen cases where something got screwed up and the end result was to uninstall and re-install the TDS Web Admin Tool completely.

It seems that the tool is a little quirky if you try to change the user name and password at the same time. My best recommendation is to change the username, log out of the tool, then log back into the tool with your new user name and the original password. Then change the password for the user. Log out of the tool, then back in with the new user name and new password.

How much do you rely on the TDS Web Admin Tool?

2009-12-14T13:27:00.000-05:00

I usually setup TDS as an enterprise LDAP, but usually as part of a larger security initiative such as Identity and Access Management. Since LDAP is the underlying user registry for ITIM and ITAM we typically do not use the TDS Web Admin tool for much more than some initial setup and configuration of the LDAP. Beyond that ITIM and ITAM have their own management tools.

But, if your goals for LDAP were simpler and you are not implementing an Identity Management solution, well you are limited to a few different tools to manage your LDAP directory:

Command Line tools such as ldapsearch, ldapadd, idsldapsearch, idsldapadd, etc....
TDS Web Admin Tool (GUI)
3rd Party tools such as Softerra's LDAP Administrator

Those who are new to LDAP in general and do not prefer to use command line tools, naturally gravitate to the TDS Web Admin Tool. In general its a pretty good tool and in TDS 6.2 it is much better than 6.0 for tasks such as setting up replication, but its still a bit buggy.

For example I ran into a problem recently where we had a boolean attribute configured as a mandatory attribute for our objectclass. Using TDS Web Admin Tool to create a new user entry results in an objectclass violation. Meanwhile using idsldapadd works just fine. It turned out to be a legitimate bug with a fix on the way, but there are other quirky issues with this tool.

Another problem I noticed in one case I have 5000 entries populated in the LDAP. If I navigate through the directory tree I can see the entries listed, but if I click on an entry it should open up the edit screen for that entry. Instead it does nothing at all. Yet, if I use the directory search tools in TDS Web Admin GUI I can find a specific entry and then click on the entry which correctly opens the edit screen for that same entry. Weird.

Another issue which I would consider a bug and I don't know if IBM will ever address this:

If I customize the LDAP Schema by using custom schema files I.e. V3.myschema.oc and V3.myschema.at, the Web Admin Tool does not acknowledge this and continues to drop stuff in V3.modifiedschema instead. TDS supports creating custom schema files by allowing you to reference the custom files in ibmslapd.conf. This is one way of keeping your custom schema organized neatly. In fact if you keep all of your custom attributes and classes in order by OID (assuming you are using a legitimately registered OID) then it makes it easy to know what OID to use next for any new attributes or classes. Also, if you have replicas, schema updates to the replicas is a simple matter of copying your updates schema files over to the replicas and restarting them.

Anyhow, most folks managing LDAP servers seem to prefer using 3rd Party tools if they need a good GUI style interface, but it would be nice if the Web Admin Tool was a little less buggy.

AccessStudio vanishes?

2009-11-26T23:49:00.000-05:00

Anyone who has spent any considerable amount of time profiling applications must have noticed this. Your toiling away on a profile for hours, testing some password change workflow or something and suddenly AccessStudio just disappears into thin air. And at least the first time you saw this it was probably after having made numerous changes in the state machine without saving your work right? And to top it off, trying to simply re-launch AccessStudio wont help, because there are still pieces of it running somewhere in Windows voodoo land so it will complain if you attempt to run another test session. Chalk it up to yet another reason to re-boot your Windows machine.

Sorry, I have no solution, but am looking out for one. I have seen this problem in 8.0.0 and 8.0.1 so maybe the new 8.1 version will be better. I look forward to upgrading.

TAM ESSO and support for Java

2009-11-19T13:57:00.000-05:00

TAM ESSO supports Java applications for sure, but if you haven't deployed it yet there are a few issues which you might need to be aware of.

First, when you install AccessAgent on a computer, the installer will try and find any instances of Java on the computer and will add support for that Java. After installing AccessAgent find the directories on your computer where Java is installed and you should see the following files at these locations:

\jre\lib\accessiblity.properties
\jre\lib\ext\jaccess.jar
\jre\lib\ext\EncAwtAgent.jar

Some applications may get installed with their own Java. If the AccessAgent installer does not detect that Java then you will have problems profiling the Java application and AccessAgent will not detect the profile for SSO.

If you wish to add support for the application after AccessAgent has already been installed there is a script which you can run located here:

C:\Program Files\Encentuate>JavaSupport>

For example lets say you have a Java application called "XYZ App" installed which has its own instance of Java under its own program directory. Launch the script specifying the location of the JRE:

C:\Program Files\Encentuate\JavaSupport>JVMSupport.vbs /d C:\Program Files\XYZ App\jre

Going forward you would probably want to have AccessAgent support this Java on any machines with this application installed without having to go to all of your workstations to run this script. The JVM paths can be specified at the time you install the AccessAgent on end user machines. The SetupHlp.ini contains parameters for specifying these JVM paths. This part is clearly documented in the TAM ESSO installation and administration guides, but I'll mention it here:

SetupHelp.ini parameters:

JVMInstallationDirectories
OldJVMInstallationDirectories

AccessAgent Seems Slow?

One thing that seems relevant here is that AccessAgent can appear noticeably slower when profiling or testing with Java applications. By default AccessAgent is logging all activity at LogLevel=3. This is a pretty good level for debugging. However, normally for production you probably do not need the logging to be at this level. AccessAgent performs considerably better at LogLevel=1 or 0. So if you see issues with the profiles appearing slow especially for Java applications, you may want to go ahead and drop that LogLevel down:

HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\DeploymentOptions\

BTW, if AccessAgent seems slow, it may not be the fault of the LogLevel or TAM ESSO at all. There are other outside factors which could affect the performance of AccessAgent including some antivirus, but in most cases you will not notice any change in performance of your desktops with TAM ESSO. With all that is going on it performs excellent.

Change Listening Ports on your IMS Server

2009-11-16T10:32:00.004-05:00

TAM ESSO IMS Server listens on ports 80 and 443 by default. Typically this is perfectly fine. However, you may have a situation in which you need to change these default ports and it is not well documented how to do this.

1.)Edit the server.xml file located at :\Encentuate\IMSServer8.x.x.x\conf

The following is an excerpt from my server.xml file. The lines to change are in bold. In my case I changed the default listening port to 89 and the redirect and connector port to 1443.

Connector
port="89"
minProcessors="5"
maxProcessors="400"
enableLookups="false"
redirectPort="1443"
acceptCount="100"
debug="0"
server="EWS/2.0"
connectionTimeout="20000"
useURIValidationHack="false"
disableUploadTimeout="true"
algorithm="IbmX509"

Connector
port="1443"
minProcessors="400"
maxProcessors="800"
enableLookups="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
useURIValidationHack="false"
disableUploadTimeout="true"
clientAuth="false"
keystoreFile="ims/certs/keystore/ssl_keystore"
SSLImplementation="encentuate.tomcat.EncentuateSslImpl"
algorithm="IbmX509"
keyAlias="ims"
sslProtocol="SSL_TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RS

2.)Edit the accessAnywhere.properties file at :\Encentuate\IMSServer8.x.x.x\ims\config

Modify the port setting in the following stanza:
# The IMS Server's SSL port
IMS_SERVER_SSL_PORT=1443

3.)Restart the IMS Server for changes to take effect.

Another Quirk with Tivoli Common Reporting...

2009-10-10T16:05:00.005-04:00

Just thought I would mention this. The report package you download for Tivoli Common Reporting may produce an error like the following:

Error CTGTRD040E

To get around this I unzipped the report file and re-zipped it using WinRAR. For some reason TCR 1.1.1 has a problem with some zip files. Something about not liking directory names as zip file entries. Anyhow, WinRAR did the trick.

Can't find TAMeB Reports?

2009-10-10T15:32:00.002-04:00

Just in case you are hunting and pecking for reports for TAMeB using Tivoli Common Reporting, I assume you've seen the documentation for auditing TAMeB. It's only 500+ pages. :-)

The basic idea is that you will first install Tivoli Common Reporting (integrated in the WebSphere Integrated System Console). Then you need to download the reports from the support web site. Why they don't simply include these with TAM is a mystery. Oh and good luck finding them by searching reports, or audit reports, etc.... If you search for "Operational Reports" you will find them. Go figure.

Anyhow the link to the reports:

http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=operational+reports&uid=swg21303439&loc=en_US&cs=utf-8&lang=en

TDI 7 - Eclipse anyone?

2009-08-04T15:46:00.002-04:00

So I think that most of us using TDI over the past few years can say mostly good things about the product. Personally it's one of my favorite tools in the Tivoli Security stack being largely a non-developer type I feel empowered when I make cool things work with it. However most people would also agree that the products implementation of Swing might be a bit off. Just weird stuff like if you have a pop up window and you hit the enter key you expect the OK button to depress. And sometimes resizing windows is a little weird. I've even had to close the tool kit and reopen it sometimes just to make things work.

All that is pretty much gone with the new TDI 7.0. Oh and I believe there is a fix pack out already. I'm just starting to play with this new version. It takes some getting used to if your not comfortable with eclipse, but I look forward to working with it.

BTW, there is a pretty cool tutorial out there you can check out:

http://sites.google.com/site/tdi7islive/

Nice job who ever took the time to do this!

Risk - ignore, accept, mitigate, insure

2009-07-08T23:46:00.003-04:00

Tivoli security professionals are pretty much in the Risk Mitigation business. Any organization who has any identity information in house on employees, customers, or partners will at some point address the risk of losing this information. And subsequently they will ask:

"What's the chance of losing that information?"
"What's the cost to us if that information gets lost?"
"What should we do about it?"

The answers are undoubtedly, ignore the risk, accept the risk, mitigate against that risk, or just buy some extra insurance.

Organizations large and small are thinking about how important it is to deprovision accounts that are no longer needed. Doing this via e-mail is not going to work well. This is one main reason Identity Management systems exist.

These latest security breaches illustrate the headaches organizations face when they fail to ensure that their former employees are removed from accessing their IT systems:

http://datalossdb.org/incidents/2152-unauthorized-access-by-a-former-employee-exposes-names-addresses-and-social-security-numbers-of-past-and-present-employees

And this one was even more brazen by an American Express employee. Holy crap $1 million. This guy had a good job watching over the systems that hold data for many of us. I'm not sure how you prove that a laptop which is reported stolen wasn't really stolen. This dude should go to jail for a long time.

http://www.kpho.com/money/19936013/detail.html

Why hire consultants?

2009-07-08T22:35:00.002-04:00

I have always thought of myself as a consultant. Perhaps I'm just a people pleaser, not to the extreme that I'm compulsive or anything, but that I genuinely like to help others. I can recall the days when DOS 5 was a huge deal. I was networking computers using ArcNet, LANTastic and Novell 3. A 386 DX2/66 with 4MB of RAM was smoke'n fast.

I recall some of the best advice I got from a guy named John Posey (John if your still out there thanks for all your help). He said, "Chuck, run out and buy yourself a DOS book." The past mystery of my Commodore 64 seemed silly once I read that DOS book. It was clear to me then that if one could read, one could do this technology stuff. Oh how things have gotten so complicated.

So, why should you hire consultants?

1.) Well, look I understand all you geeks out there who are highly skilled can certainly figure all this stuff out yourself. Like I just said, if you can read, you'll get there eventually. But, the bottom line is there just isn't time for everyone to know everything. Take TIM, TAMeB, TFIM, TAM ESSO, TCIM, TSOM, and the rest of the Tivoli Security products. If you want to implement any one of these or some of them, you can certainly buy the software, read the manuals and go for it. The fact is though, it doesn't always work like the manual says. So, you may have to do it a few times until its right. And that's OK. But, businesses today are more concerned with ensuring that the technology is solving business needs. They are not necessarily interested in making you an expert at installing Tivoli software. That perhaps is better left to consultants.

2.) Good consultants are in this game because they like to help people. At least that's the experience I have seen with the colleagues I work with. And the objective is to enable customers to be self sufficient in steady state maintainability of the products and solutions.

3.) We really have seen many use cases, configurations and different applications of these software products so you can save a ton of time in the planning phases of your projects by using consultants.

4.) Consultants in the security business have a lot of friends doing the same thing which can help in getting the right skills on the job. Solutions using enterprise software like Tivoli will often require many different skills. There will rarely be one guy/gal who can do it all. Although I've worked with some amazingly bright people in this business, there are usually multiple people involved in average Identity Management projects. Utilizing a good consulting group will help you succeed. For Tivoli, an IBM Business Partner is key for a couple reasons:
a.) IBM Business Partners have unique relationships with IBM which helps to deliver solutions most cost effectively.
b.) IBM Business Partners can bring versatile project management skills to your project which may involve IBM and Non-IBM products and solutions
c.) IBM Business Partners can bring low cost resources into your project as well as subcontracted IBM resources which helps to drive down the cost of your project while maintaining a strong IBM presence in the success of the project
d.) IBM Business Partners have a vested interest in seeing the IBM solution succeed.

5.) Good consultants will pass on their experience and knowledge to you. I tend to share as much as I know because I believe in educating people, I will also learn some new things. Every good project should have some time dedicated to knowledge transfer, but even when that dedicated time is not there, you will still learn a lot from a good consultant.

6.) Consultants save you time and money in the long run. Lets face it, time is money. If a project is being managed properly, there will be some realistic goals and objectives. If the goal is say 6 months from now we will have xyz product installed and configured and you already have a full time job, then how likely will you meet that goal? Hire the consultant and get the job done.

Changing LDAP Suffix

2009-06-30T10:07:00.003-04:00

Of course when building an LDAP it's best practice to choose wisely and carefully your LDAP structure to minimize any ugly rework later. This is a no brainer. But, I've been working on setting up a demo test system for TFIM. And, as I am not a web developer I'm going to use the demo apps that come with Tivoli Federated Identity Manager 6.1. But this Federation demo assumes that there are specific configurations done in your LDAP first.

Now, I already had a working TAMeB system with TDS and WAS, etc.... So I wanted to use what I had to minimize the work in setting up TFIM. I built another TAMeB environment to act as my partner site as well. Installing TFIM and creating the Federation domain was no problem. Even creating the Federation agreements and exporting both sides was straight forward. But when it came to configuring TAM for TFIM I ran into an unforeseen snag at the point where this program wants to configure for the demo apps:

tam:/opt/IBM/FIM/tools/tamcfg # java -jar ./tfimcfg.jar -action tamconfig -cfgfile /opt/pdweb/etc/webseald-default.conf

...
Press 1 for Next, 2 for Previous, 3 to Repeat, C to Cancel: 1
Perform configuration for demo application (y/n): y
Checking for DN cn=elain,o=identityprovider,dc=com.
FBTTAC062E Error checking for the DN cn=elain,o=identityprovider,dc=com in the user registry:
HPDMG0761W The entry referred to by the Distinguished Name (DN) must be a person entry.

You may need to create this registry entry manually or use the itfim-pre-install-tool.jar to create it for you.
Press 1 to Repeat, 2 for Previous, C to Cancel:

So, I really didn't consider that the demo apps for TFIM would be relying on specific users to exist in TAM/LDAP and even a specific LDAP structure. This is sort of lame. I need these demo apps for my testing, yet I'm forced to have a specific set of users and LDAP design. Annoying.

I set to work making the necessary changes to my LDAP, however one problem was that my suffix was already dc=ca,dc=com and the LDAP will not allow me to create a new object for the demo "o=identityprovider,dc=com". This means I need a new suffix at dc=com which the LDAP will not allow since a suffix already exists containing dc=com. No worries, I figure I'll just do a db2ldif and export my users and groups, etc... (TAM is using these already), then blow out the LDAP, delete the existing suffix and create a new one "dc=com", then just add the "dc=ca" domain under the suffix and finally do a ldif2db.

This all worked right up until I realized that the ACLs do not go back into the LDAP. The db2ldif utility will capture the ACLs and they will be right there in your LDIF file, but for some reason when you use the ldif2db these ACLs do not go back into the LDAP. Additionally I tried a bulkload with the -A and still no ACLs. I know that I must be missing something. Rather than spend a lot of time troubleshooting this I ended up configuring the ACLs for TAM manually on my "dc=com" object so that I could get back to business. If anyone knows what I may have missed, feel free to let me know.

Regards

Which product version do you have?

2009-06-03T11:12:00.005-04:00

The Tivoli security products contain several components and middleware making it sometimes difficult to know exactly what versions and fix packs you are at for all of the pieces. Also, you may only need this information once in a while maybe for troubleshooting a problem or planning some upgrade or change to the environment. So you ask, "what was that command again to determine the version of TIM, TAM, WAS, TDI, etc...? And as usual for every piece of the puzzle the commands or procedure for determining the versions and fix packs are different. Then, finding this information on the IBM Support site or the Information Center for some pieces is difficult. You would think that for each product the first chapter of the Problem Determination Guide would start with "How to determine your product version and fix pack level". NOT!

I'm simply listing here the results of my hour and 1/2 of internet searches here to hopefully save time when I need this info again. There are by the way some very good IBM Wiki sites for this info. I've listed some below. It's crazy though that these Wiki's did not show up in my searches of the IBM Support site.

Check Version Info for TDS 5.2

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268258&loc=en_US&cs=utf-8&lang=en

Example:

rpm –qa | grep ldap
rpm –qa | grep db2
rpm –qa | grep gsk
ls –l /usr/ldap/bin
ibmslapd -V

If the Web Administration Tool is installed and configured please collect the output of:
ls -l /usr/ldap/idstools/IDSWebApp.war

Check for version info for TDS 6.0

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268261&loc=en_US&cs=utf-8&lang=en

Example:

rpm -qa | grep -i ldap
rpm -qa | grep -i db2
rpm -qa | grep -i gsk
ibmslapd -V
idsilist -a

If the Web Administration Tool is installed and configured collect the output from:
./opt/ibm/ldap/V6.0/idstools/deploy_IDSWebApp.sh -v

Check for version info for TDS 6.1

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21268263&loc=en_US&cs=utf-8&lang=en

Example:

/opt/ibm/ldap/V6.1/bin/idsversion
rpm -qa | grep -i gsk
idsilist -a

If you are using DB2 v9.1 or higher issue the following command:
/usr/local/bin/db2ls

Otherwise issue:
rpm -qa | grep -i db2

If the Web Administration Tool is installed and configured, please collect the following:
/opt/IBM/ldap/V6.1/idstools/deploy_IDSWebApp -v

Check version of the TDS Web Admin Tool (Any version)

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=version&uid=swg21320615&loc=en_US&cs=utf-8&lang=en

Check for Version of WebSphere

http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&q1=version&uid=swg21306756&loc=en_US&cs=utf-8&lang=en

Example:

versionInfo.sh in the app_server_root\bin directory.

Check for version info for TAMeB

http://www.ibm.com/software/info/testinfo.jsp?uid=IC000043

Example:

pdversion

Check for version info for TIM

http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+Product+Fixpack+Levels

From the TIM Admin Console, open the "About" page

Example:

Server name: secperf12
Version: 5.0.0.3
Build number: 200809241018
Maintenance level: IF0014
Build date: September 24 2008
Build time: 10:18:08 GMT-05:00

Check for version info for GSKit

http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+GSKit+Fixpack+Level

Check for version info for TDI 6.0

http://www.ibm.com/developerworks/wikis/display/tivoliim/Determining+IBM+Tivoli+Directory+Integrator+Fixpack+Level

Check for version info for TDI 6.1

http://www-01.ibm.com/support/docview.wss?uid=swg21302983

Example:

Unix/Linux -
1) cd /usr/ibm/common/acsi/bin
2) //source the setenv.sh
. /var/ibm/common/acsi/setenv.sh
3) //run the listIU.sh
./listIU.sh | grep -i tdiserversiu

Check for version info for TIM Agents

http://www-01.ibm.com/support/docview.wss?rs=644&context=SSTFWV&dc=DA420&dc=DA480&dc=DA490&dc=DA430&dc=DA410&dc=DB600&dc=DA400&dc=D600&dc=D700&d

c=DB520&dc=DB510&dc=DA500&dc=DA470&dc=DA4A20&dc=DA460&dc=DA440&dc=DB550&dc=DB560&dc=DB700&dc=DB530&dc=DA4A10&dc=DA4A30&dc=DB540&q1=version&uid=s

wg21140454&loc=en_US&cs=utf-8&lang=en

Example:

Run agentCfg -> Configuration Settings

INFO: ssl.disable.url.hostname.verification.CWPKI0027I

2009-06-02T16:25:00.003-04:00

From what I can tell there can be a number of reasons you might get this error during TAM Configuration or unconfiguration. In my case I made a small mistake while in a hurry and also because in my test lab, I don't take as much care as I would typically take as with a production system. I did not unconfigure Web Portal Manager before removing WAS. This should not be a big deal, but apparently it is.

I'm preparing my TAM Test Lab to also support TFIM. In doing this I upgraded my TAMeB components to 6.1 FP002. But, also I chose to replace the WAS 6.1 server with a WAS 6.1 ND because I plan to do some other clustering stuff as well.

The TAMeB upgrade and patches worked fine. Afterwords, TAM, pdadmin, WPM was all fine. But after manually removing WAS 6.1 and installing WAS 6.1 ND, WPM was hosed. To install WPM, I simply installed it using the GUI installer as I have done before only this time WPM did not show up in the ISC as it should even though the installation said it was successful. So, I then realized that when I had removed WAS and installed WAS ND, I had never unconfigured WPM.

Attempting to unconfigure Web Portal Manager using pdconfig or amwpmconfig resulted in this:

Tivoli Access Manager administrator ID: [sec_master]:
Tivoli Access Manager administrator password:******** *java.lang.IllegalStateException: HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server.

Then I realized the JRTE needed to be reconfigured for the new WAS 6.1 ND so I ran through the JRTE configuration again for my latest Java 5 location and for the WAS 6.1 ND JRE. Then the next problem was this:

Enter the IBM WebSphere Application Server or Deployment Manager
installation full path [/opt/IBM/WebSphere/AppServer]:
Policy server host name [tam]:
Tivoli Access Manager policy server port number [7135]:
Enter the Access Manager policy server domain [Default]:
Tivoli Access Manager administrator ID: [sec_master]:
Tivoli Access Manager administrator password:******** *Enter the hostname of the IBM WebSphere Application Server
or Deployment Manager[tam]:
Enter the SOAP Admin port number of the WebSphere
Application Server or Deployment Manager [8880]:
Is WebSphere security enabled (y/n) [n]?
Unconfiguration of:
Access Manager Web Portal Manager
is in progress. This might take several minutes.

Jun 1, 2009 10:58:47 PM com.ibm.ws.ssl.config.SSLConfigManager
INFO: ssl.disable.url.hostname.verification.CWPKI0027I
java.lang.NullPointerException
at com.tivoli.pd.jwpmcfg.WPMConfigure.unconfig(WPMConfigure.java:572)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:615)
at com.tivoli.pd.jwpmcfg.WPMConfigWrapper.unconfig(WPMConfigWrapper.java:325)
at com.tivoli.pd.jwpmcfg.AMwpmcfg.interactUnCfg(AMwpmcfg.java:447)
at com.tivoli.pd.jwpmcfg.AMwpmcfg.main(AMwpmcfg.java:271)

So after scratching my head enough times and poking around I discovered that all I needed to do was delete /opt/PolicyDirector/etc/amwpmcfg.properties. This allowed me to reconfigure the Web Portal Manager using pdconfig and now Web Portal Manager shows up properly in the Integrated Solutions Console as it should. So I only lost 4 hours messing around with this silly issue. Just goes to show how a simple mistake can cost you 1/2 day of work.

Cheers!

LDAP: error code 52 - Unavailable

2009-05-19T22:18:00.008-04:00

OK, There may be numerous reasons for this error, but of course TDS just doesn't come right out and explain it for you. This was a weird one in my case because I was simply trying to delete a password policy which I had no problems creating just moments ago. I was trying a quick and dirty test which turned into several hours of troubleshooting in the midst of my other duties.

Well I tried to delete this password policy using the TDS Web Admin Tool and this is what resulted:

GLPWSA124E Failed to delete the password policy object.

Then I attempted to use my trusty LDAP Browser/Editor and different error, but same result:

10:19:52 PM: Failed to delete entry cn=pwPolicy1, CN=IBMPOLICIES
Root error: [LDAP: error code 52 - Unavailable]

So, just for kicks I enabled trace logging:

ldtrc on

I restarted the server and attempted to delete my password policy again. Here's what showed up in the log:

137:23:14:33 T115510160 Delete operation for DN CN=PWPOLICY1,CN=IBMPOLICIES requested by CN=ROOT.
137:23:14:33 T115510160 select_backend: g_backends=0x9928310, dn=CN=PWPOLICY1,CN=IBMPOLICIES
137:23:14:33 T115510160 select_backend: selected CN=IBMPOLICIES
137:23:14:33 T115510160 subtreeDn=CN=IBMPOLICIES
137:23:14:33 T115510160 The update is not from a supplier.
137:23:14:33 T115510160 send_ldap_result2: err=10 matched=[] text=[]
137:23:14:33 T115510160 WriteToSocket: Sending msg to client

So, I'm thinking "who cares if the update is from a supplier or not?" This got me thinking about a replication issue. Now when I built my replicas for this test lab, I did not configure replication for CN=IBMPOLICIES. At the time I had no desire to replicate these.

In looking at this further I see that the replication topology is all hosed for CN=IBMPOLICIES.

Peer 1:

Peer 2:

So, then how to clean this mess up? I found a handy tech note on the IBM Support Web Site. I know this was referenced by the good folks at L2 Support who put on an STE a while back. It just took me a while to relate the fact that I couldn't delete this simple password policy to a replication issue. Anyhow, the tech note:

http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&q1=cn%3dibmpolicies&uid=swg21226577&loc=en_US&cs=utf-8&lang=en

For some things there may not be a technology solution for..

2009-05-19T11:52:00.002-04:00

This recent example in New Jersey about a "clerical error" which led to sending peoples names and SSN #s to the wrong place --> http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html is one of those examples where people just have to have a better system of doing things even if it does not involve a computer or software solution. I mean maybe it comes down to having more conscientious people working in those positions that handle sensitive information. This was a clerical error so I'm trying to imagine a handful of hard working individuals manually stuffing envelopes with the wrong reports to the wrong companies and wondering how did their managers articulate what reports go into what envelopes? Or was it blatantly obvious which reports go in which envelopes and the people stuffing them were just oblivious to what they were doing?

Someone very close to me works in one of our illustrious social organizations in the Peoples Republic of New York and I hear stories all the time about the lackadaisical attitudes, complaining, and just general acceptance of mediocrity in the workplace. Managers sometimes hiding in their offices making no improvements to processes or efficiencies rewarding peoples laziness with overtime hours because people do not understand the meaning of hustling on the job.

Sometimes all it takes is for people to care enough about what they do to avoid these mistakes. I make no claim to understand the work environment of the folks at the NJ Department of Labor and Workforce Development, after all when humans are involved there certainly can be error and there may not necessarily be a technology solution for it.

Who's Identity Information is safe anymore? Probably no ones.

2009-05-15T15:57:00.003-04:00

I reading up on the latest security breaches and stumbled onto this web site which has recorded hundreds of known security breaches since 2005. Check it out here:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

It's amazing how many different ways your personal identity information could be compromised. So much of this can be prevented with the proper security measures. I don't know if the number incidents is rising or not, but it seems the same vulnerabilities continue to be exploited, lost equipment, compromised web sites, internal users' mishandling of data.

There is a link to another great web site full of the latest statistical information about breaches which I find very interesting:

http://datalossdb.org/

Protecting peoples' identities is an ongoing battle which most security professionals recognize must be fought on many fronts. There's not too much you can do about an employee whom you place trust to not misuse data, but you can certainly implement good auditing tools which security managers can use to help keep the honest people honest. Then of course there is always human error. Well, again even though people make mistakes there are some safeguards that can be put in place to prevent people from doing stupid things like inadvertently sending out mail with peoples SSNs on the labels. As for the missing or stolen equipment, well there's some great disk encryption solutions out there.

Makes you think twice about giving any company or government your information doesn't it?

Can you teach a bear to dance?

2009-04-23T20:38:00.003-04:00

Any of you Identity Management professionals out there probably know where I'm going with this. How many times have you been in design discussions with a customer and just cringed at what they were trying to do? Do you tell the customer they are crazy? Or do you suck it up and do your best to just make something work? Sometimes you don't have a choice, but one thing I've learned is that it is very important to make the key stakeholders understand that we may be able to teach that bear to dance, but it ain't going to be pretty and the bear might not like it very much.

Some people are convinced that if you can write code then you should not really have many boundaries. True, that if it's software and the APIs are available you can do just about anything. But that doesn't always mean it should be done.

Identity Management projects induce much change in an organization. Sometimes folks have a tendency to look for a way to code around having to ask someone to accept a change in their routine or what they know. This doesn't always work.

People, when rolling out an Identity and Access Management solution get ready to make a few changes in your life. New Identity? For sure. New Logon ID? Perhaps. New password? Likely. Single Sign On? Sure, but hopefully your not trying to make a bear dance. :-)

IBM's Enterprise Single Sign On - The new stuff

2009-03-31T08:48:00.006-04:00

Well, maybe it's not really so new. IBM acquired Encentuate about a year ago. Since then they have had time to "blue wash" the product and build up the Information Center, support and all sorts of other helpful sites and documentation. Today the product looks like it is happily at home within the TAM family.

Last year when IBM first acquired Encentuate, I quickly got signed up as an Encentuate partner while IBM was working through the red tape. I was anxious to see the new stuff, because I was hoping that it would be much better than the prior software. You know how sometimes you equate newer with better? I know thats silly, but I get a kick out of new software. I got the same excitement when I first downloaded and kick started SLES 10 for the first time. I was pleasantly satisfied with my first experience with the Encentuate product. It's ease of installation and most of all the accuracy of the documentation was a welcome surprise.

Lately, I have had some time to get a much closer look at the new TAM ESSO v8. There is support for a wide array of application types including Windows, Web, Mainframe HLLAPI, Mainframe or cursor-based, TTY, Java applet, and more. It is safe to say that 80% - 85% of your applications will work with TAM ESSO right out of the box!

Implementing TAM ESSO is a cake walk compared to your typical Identity Management endeavor. Still, the most difficult part of implementing TAM ESSO or any SSO product for that matter is the odd ball applications where the single sign on product has trouble detecting the Logon window. For your project you may have 20 applications that work flawlessly with SSO, then you might have 2 applications that for what ever reason cause a problem. So while it might take 10 minutes to profile each of the 20 good applications, it could take 10 hours to profile 1 difficult application. This is a key differentiator between the different SSO products on the market and I think TAM ESSO is the best that I have seen in this regard. So then you have to look at the tool(s) that come with a product to help you profile those tough applications. Again TAM ESSO v8 shines above others with its AccessStudio.

The AccessStudio is a state engine tool which gives you control over what happens at each window event that occurs for your application. Youl literally have the ability to add your own triggers, customized xpath statements, and actions during the logon process of a given app. You can even call out some JavaScript or VBScript and the tool makes it very logical to customize the behaviour of TAM ESSO. AccessStudio even has a testing function to allow you to test the logon process with your custom profile and shows you step by step which window events are happening and what triggers aand actions during the process are taking place. This way you do not have to upload the profile to the server before you are done testing it. The cool thing about the AccessStudio is that even for a profile which requires customization, you can still use the wizard to auto-generate the profile, then simplu enable state editing of the profile to make your customizations. I think the AccessStudio tool is much more powerful than the tools we had to work with for the old product. Therefore, it might take a bit more effort to learn how to recognize all of the states and how to customize them, but the wizard built in to AccessStudio properly automatically recognizes most of your apps so that should mean quicker deployments and quicker ROI.

Some competitors of the new TAM ESSO product would say that a downside to the new TAM ESSO is that it requires a server or multiple servers. The fact is that you do need at least one server because TAM ESSO uses a RDBMS (either MS SQL, Oracle or DB2) to store policies, profiles, credentials, and report data. The old product did not require a server because it stored information in a directory (Active Directory, Novell, or LDAP) which typically already exists in most companies. I personally don't think it makes a difference. The solution can be virtualized just like anything else out there and most companies have hundreds of servers already. Having more servers typically reduces risk by not having all your eggs in one basket. Virtualization is there to allow you to reduce the need for physical hardware and make better use of the processing power that often sits idle on many physical servers. But that's not the only reason to appreciate the requirement of a server for TAM ESSO. The advantage is that you can implement TAM ESSO without any direct impact whatsoever to existing enterprise directories. The old product required schema extension to the Active Directory. While I still do not think that is a big deal (its what directories were designed to handle), some admins hesitate to extend their schema and since it affects their production system, it is something you have to plan appropriately for. Additionally, multi-forest and multi-domain AD systems presented a few challenges for how you deployed the old product. Again, I don't think that is a huge deal either, however the need for a server in the new TAM ESSO product provides another added benefit... reports. TAM ESSO v8 will gather compliance reports such as who accessed what applications, what machine were they logged into when accessing those apps, what credentials where being used, etc.... The old product provided nothing like this and if it had, the addition of a server would likely be a requirement. A typical IBM server should be able to handle 36,000 user authentications per server per hour so depending on the size of your organization a single server would do the trick. The servers can be clustered and load balanced so the solution scales very well.

Password reset is one of the common reasons companies buy a Single Sign On product like TAM ESSO. The password reset feature worked much the same way the old product worked. From the logon dialog you click reset password and right within the logon dialog itself, you are presented with challenge/response questions. If the desktop is locked, a link can be added to the locked dialog which taked you to the AccessAssistent to reset your password. One difference between the old product and the new product is that you cannot just purchase and deploy only the password reset feature. The old product allowed for licensing just the password reset because it was really a separate set of code (web application and GINA piece). The new product is licensed as one product so to do just password reset you still need to deploy the IMS server. Of course you can use just the password reset function of the new product, however you cannot just purchase that component.

Support for me is a key differentiator when purchasing a security product. I used to be an IBM, Novell, Microsoft, and others customer so quality of support is key to my choosing of any product. First, the IBM documentation for TAM ESSO v8 is fantastic compared to the old version. Maybe the Encentuate team should get the kudos for this. All I can say is that for the most part, the documentation covers a lot of ground and is pretty darned accurate. Much more understandable and logical than the old stuff I had to deal with. There are also a couple of great resources which I should point out:

The developerworks site for TAM ESSO is being monitored and the reponses are very quick and helpful. There are some folks who really know the software well regularly posting answers to questions on the site and since I don't know their names all I can say is "Thank you!" to whomever they are. The URL to the site:

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1592&start=0

The IBM OPAL web site contains over 200 profiles for applications out there. This is way cool because again part of the effort for implementation is to build these profiles. Some take minutes and some take hours so if you are deploying TAM ESSO, you may be able to take advantage of these. Why re-invent the wheel? The URL to OPAL, search for Tivoli Access Manager for Enterprise Single Sign-On:

http://www-01.ibm.com/software/brandcatalog/portal/opal

There is a great Wiki for TAM ESSO with documentation on how to build custom profiles, architecture diagrams, deployment scenarios. This is great information to help you get started with your project. Checkout the URL here:

http://www.ibm.com/developerworks/wikis/display/tivoliaccessmanagerforesso/Home

Also, don't forget to check out the information center as well. Bottom line, if I were a customer looking to choose a single sign on product I would choose IBM's new TAM ESSO over any other because it is one of the best if not the best at recognizing logon windows for any type of application, not just the typical Windows and Web apps. The support is top notch and there is a great deal of information publicly available to help you become self sufficient. If I were a customer I would hire consulting help for a short term "getting started" type of approach to help my internal staff get a jump start with help from folks who have done it before.

Whew! The fingers are a bit rusty.

2009-03-18T10:02:00.007-04:00

I sort of feel like I've neglected a child or something. The past year has been so overwhelmingly busy that I have failed to keep this blog up to date in any meaningful way. I hope to change that this year as I continue on this path doing Tivoli Security.

Anyhow, besides a siginficant amount of traveling over most of 2008 and the beginning of 2009, I had also embarked on a major home construction project. It seems my whole life is about projects even at home. So just in case someone thinks that I have been sitting on my duff and not posting things to my blog here is a small glimps into my home project:

First off just to provide a prospective, I was involved in a fairly complex TIM/TAM/TFIM project on the East coast for all of 2008 and the first part of 2009. So, I would often leave my home in Buffalo on Monday morning and travel back home on Thursday night or Friday. Practically every weekend and any week nights I had available in 2008 were spent finishing my basement.

The kids were in need of some rec space. Living in the North you tend to spend several months in hibernation so finishing the basement was essential to providing a little more space for the kids to be kids. On top of that I desparately needed an office. It's been too long that my filing cabinets had been stored in my walk in closet off our master bedroom. Then my wife was also getting fed up with me camping out at our dining room table to do my work. Picture two lap tops, two external hard drives, power stripss laying across the dining room floor and papers strewn across the dining room table. Of course all of those Tivoli lab guides and classroom materials and CDs laying around doesn't help either.

So, I finished my basement and in all this took about 10 months between February 2008 and December 2008. I still have some trim work and doors to do and of course we will have to furnish it now. Feel free to view my pictures on Flickr:

http://www.flickr.com/cahart

Before:

After:

What version of TDI are you using?

2008-09-14T14:08:00.002-04:00

It took me a while to find this tech note one day so I figured I would post a link to it for future reference. Pretty handy.

Determining the TDI 6.1 Fixpack level

LDAP - What's in a string?

2008-08-13T22:20:00.001-04:00

Sometimes when I'm doing projects I run across some things that make me wonder.. Huh?

When you are building LDAP objectclasses and attributes for your Identity Management project, should you be using Directory String or IA5 String for your typical attributes? Actually there are several string types supported by LDAP:

IA5String, DirectoryString, PrintableString, OctetString, PostalAddress, CountryString and NumericString.

Most often in the projects I have worked on we would use DirectoryString for most custom attributes. Looking at the RFC's you can pick up bits and pieces about the differences beteen IA5String and Directory String. My friend Thom Anderson does a great comparison of these two string types. Read on:

"The IA5 is more constrained than Directory String. You can think of it is ASCII on steroids . . . ASCII is a 7-bit protocol and for years, persons have been finding themselves with an eight-bit byte wondering what to do with the extra bit. Normally, they use the ‘zero’ value of the extra bit for ASCII characters and then use the ‘one’ value for things such as special characters (early IBM PC) or European characters (IA5). Although the ‘IA’ in IA5 means ‘international alphabet. It does not include all languages as that would require more than 8 bits. That is where Directory String comes in. Directory String is basically UTF-8, a version of Unicode that has only 8 bits for Western languages, but requires more bits (in 8-bit increments) as one moves East."

"Only in IA5 can you be assured that the number of characters and number of bytes is the same. Of course, that would limit one to Western characters, but that is not such a bad thing. In many cases, it will not make any difference. In the U.S. ASCII is sufficient and it is a subset of both IA5 and UTF-8."

Interesting observation about the erglobalid

2008-06-26T21:01:00.004-04:00

Most of the implementations I have worked on do not require a large complicated TIM Organizational structure, however every now and then it is a requirement to have many OUs. In fact you may have a requirement for many thousands of organizational units as bizarre as that might sound. So it's nothing new that you can import these objects. TDI is a handy tool for helping to pull this off by the way. There was a recent post on the developerworks web site about this:

http://www.ibm.com/developerworks/forums/thread.jspa?threadID=201930&tstart=-1

Since I have been on a recent project where we had a need to import several thousand OUs one of the questions we asked ourselves was how do we assign an erglobalid to all of these which we can be sure might not already be in use? One way might be to build in some random generator of our own and lookup to TIM to verify that it is not already in use before we choose that number. Another way we thought well we can just assign a sequential number because it is not likely that TIM will have an obvious pattern especially since we haven't yet put any users into TIM. We tried this method and it worked pretty well so we figure the first erglobalid we will use is say erglobalid=11111111110000000001 and then just increment it from there. No problem so long as we don't happen to stumble on one that is already in use. And if that happens the TDI assembly line bombs out and then we'll have to deal with it.

One of my IBM friends recently discovered that we could actually use any ASCII characters as our erglobalid. I never really gave it much thought, but it is really a string anyhow. Internally TIM will use a numeric string. Apparently TIM will never use any alpha or non-numeric characters in the erglobalid. So if you want to be sure that you generate an erglobalid that is sure to not already be in use, just use letters or something other than numbers. Or maybe even a combination of the two.

Just to try this out I threw together this ldif of two Org units and imported it into my TIM tree no problem:

dn: erglobalid=ABCDEFGHIJKLMNOPQRST,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erparent: erglobalid=2989976714741706113,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erglobalid: ABCDEFGHIJKLMNOPQRST
ou: Fred
objectclass: top
objectclass: organizationalunit
objectclass: erManagedItem
objectclass: erOrgUnitItem

dn: erglobalid=abcdefghi!@#$%^&*()_,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erparent: erglobalid=2989976714741706113,ou=orgChart,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com
erglobalid: abcdefghi!@#$%^&*()_
ou: Barney
objectclass: top
objectclass: organizationalunit
objectclass: erManagedItem
objectclass: erOrgUnitItem

At least if you create your OU's this way you can always tell which erglobalids were created by TIM and which ones were created by your import processes. Just thought this was interesting.